Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] signed SAMLRequest in SOAPMessage

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] signed SAMLRequest in SOAPMessage


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [OpenSAML] signed SAMLRequest in SOAPMessage
  • Date: Fri, 24 Apr 2009 11:34:33 -0400
  • Openpgp:
  • Organization: SWITCH

Review the archives on this list. Signature questions are one of the
most common issues that people run into. The short answer is, you need
to *really* know what your tools are doing. Signatures are incredibly
brittle and there is no easy way to diagnose all the problems you run in to.


wrote:
> Hi,
>
> I am developing a webservice that accepts a SAMLRequest as input and
> returns a SAMLResponse as output to deliver secureTokens (as
> SAMLAssertions).
> The SAMLRequest in the input needs to be signed.
> Generating the signature on clientside and verifying it on serverside is
> easily done with the opensaml API.
> The problem is when I use a JAX-RPC webserviceclient to send the request to
> the webservice (the webservice needs to be callable from different clients).
> When it puts the request into the SOAPBody, it uses another
> namespace-prefix then the one that was set in the original requestdocument
> when it was signed.
>
> when I printout the opensaml SAMLRequest before it is send, I have this
> <Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...
>
> the webserviceclient puts this in the body:
> <samlp:Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...
>
> which is also valid xml but the signature on the samlRequest is broken now
> (samlRequest.verify() on serverside throws an exception).
>
> Have you guys stumbled on this problem before ?
> How to deal with namespace prefixes in signed samlRequests?
> Is there anything I should do on clientside/serverside before
> signing/verifying?
> I think I can work around this by defining as input of my webmethod a
> simple String in my wsdl instead of the saml request element of the saml
> protocol schema but if possible, I want my interface to clearly define it
> only accepts SAMLRequests.
>
> Kind regards,
>
> Frederik

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page